In this age of ubiquitous social networking, I may look trendy with accounts on all the major apps, but deep down, I’m old-school: these days, I really only use Signal and Proton Mail. Let me take this chance to apologize to those who’ve messaged me on Facebook, Instagram, and other platforms but never got a response; but if you’re reading this, you probably know that the only way to reach me is to email [email protected].
Though more and more people have email addresses, fewer and fewer actually use email. As for instant messaging apps: Hongkongers use WhatsApp, people in Taiwan use LINE and Messenger, and those in Mainland China use WeChat. As a result, even though I’m easy to find, I’m often called a recluse. Fortunately, over the past year, more and more people have started using Signal-from DHK friends, “羽 V 神同行,” to even the US Vice President-so I’m finally starting to feel like a normal person.
Below, I’ll introduce three Signal techniques. Test yourself: if you only know one or two of them, your security awareness could use some work; if you don’t know any, you’re probably just scratching the surface of Signal.
Username: An Extra Layer of Privacy
Unlike WhatsApp, which uses your phone number as your identity, Signal lets you set your own username.
You might think this is nothing special-after all, Telegram, LINE, and even WeChat have usernames. True, but Signal’s username system is different: privacy comes first. By default, others can’t see your phone number, and you can further disable the option for others to find you by your number, completely unlinking your phone number from your username.
For example, if Alice’s phone number is +852 9876 5432 and she sets her Signal username to alice.852 and disables phone number visibility and search, even friends she’s already chatting with can’t see her number. Others, even if they know her number, can only start a conversation with her via alice.852, her QR code, or a link. Thanks to this, DHK friends in large Signal groups can keep their numbers private-no need to reveal them, and you can’t see others’ numbers unless they choose to share.
Note: Display name and username are different. The former is typically in “firstname lastname” format (e.g., Alice Bee) and is the name or nickname shown to your contacts; the latter is in the format username.[two or more digits] (e.g., alice.852), used only to start new conversations. Once you become contacts, neither side can see the other’s username. Privacy-focused users like Alice can change their username as often as they like without affecting existing contacts.
To set your username, tap your profile picture in the Signal app to enter Settings, then tap your avatar again to edit your profile. Here you can also view your current username, QR code, and link, making it easy to share with others.
Safety Number: Is “That Person” Really That Person?
Alice uses her username as her identity and starts chatting with her friend Bob on Signal. One day, Bob’s account gets hacked, and the attacker impersonates Bob to scam Alice. How can Alice tell?
Every Signal conversation has a unique safety number-a string of 60 digits known only to both parties. If a hacker uses a “man-in-the-middle attack” to impersonate Bob, any change in device will trigger a “Your safety number with Bob has changed” message in Alice’s chat with Bob. At this point, a security-conscious Alice will contact Bob through another channel-or even meet in person-to scan the QR code or compare the numbers, confirming each other’s identity.
If you’ve ever seen the message “Your safety number with xxx has changed” in a chat and ignored it, you’re giving impostors an opening. Skilled hackers may wait before making a move, so even if you’ve ignored safety number changes in the past, you should go back and verify, then tap “Mark as verified” to confirm the other party’s identity. This is especially important for company executives, activists, journalists-and of course, vice presidents.
While safety numbers are effective against account hijacking, if the other person’s phone is stolen, cracked, or forcibly unlocked, only your own security awareness can help. If you get suspicious messages (like requests for money, transfers, or personal info), don’t be embarrassed-insist on a video call and discuss something AI can’t easily fake to confirm their identity.
Introducing Contacts via Group: Passing On Trust
Alice and Bob make good use of safety numbers and chat on Signal with mutual trust. After a while, Bob wants to introduce his friend Carol to Alice. Should he give Carol’s contact info to Alice, or vice versa? Should he use phone numbers or usernames?
Neither. The proper way is for Bob, after getting both Alice and Carol’s consent, to create a three-person group, clearly explain the background, and let the two connect directly.
As mentioned, Signal lets you unlink phone numbers from usernames, so there’s no need to reveal either party’s number when making introductions. In fact, Bob might not even have both their phone numbers-or, if he does, those numbers might not be linked to their Signal accounts. As for usernames, they’re only used to start chats; after that, Bob can’t see Alice’s or Carol’s usernames. Even if he has a record, it might already be outdated or reassigned to someone else. Sharing usernames without confirming with Alice and Carol could mean introducing the wrong person.
Most importantly, trust is a network. Introducing contacts via group links the trust between Alice and Bob and between Bob and Carol, so Alice and Carol can both trust each other. Note: here, “trust” means “this person is really who they say they are,” not necessarily that both are trustworthy in other ways. Conversely, if Alice receives a message from a stranger, how can she know whether to accept? Even if Bob has told Carol to reach out, how does Alice know the stranger is really Carol? How can Carol prove her identity?
You might say the odds of a fourth person impersonating Carol at the same time are slim, and that I’m overthinking things. I won’t argue, but I encourage you to consider this: compared to letting two strangers chat directly, introducing new friends via a group is simply better etiquette.
It’s Not a Bug, It’s a Feature
Signal is a communication tool that puts privacy and security first. I’ve heard many say some of Signal’s designs are inconvenient compared to mainstream apps, but these are all deliberate trade-offs. If you truly understand Signal’s philosophy of “minimal data, maximum privacy,” you’ll see that in most cases, “it’s not a bug, it’s a feature.”
I deleted my WhatsApp account over seven years ago and have relied on Signal ever since. There’s a lot more I could share about it-whether deeper technical insights or beginner tips. If you’re interested, please leave a comment and let me know this is a topic worth continuing.
P.S. I’ve long wanted to make an audio version of this newsletter but lacked the motivation. Recently, I finally enlisted Alice and Bob to help turn last week’s newsletter into a podcast. How does it sound? Should I keep going?
Leave a Reply